Is the NIS regime working? Changes proposed in new review

This month, the Government published its second post-implementation review of the 2018 Network and Information Systems (‘NIS’) Regulations. The NIS regime is designed to help protect the UK, and in particular certain essential services (hospitals, energy, transport etc.) and digital services (online marketplaces, online search engines, cloud providers) from a growing cyber threat. But is it working?

Review Findings

Generally, the review concludes that the NIS regulations “are largely working successfully […] to prevent (where possible) and improve the levels of protection against " incidents and should therefore be retained. However, it still finds “room for improvement”. The review makes a number of recommendations which either repeat, or build on, existing plans to amend the NIS regulations which the Government published in January of this year (see our Lens blog for more details). These plans drew on the results of the first review from December 2020 (as discussed previously on the Lens) and on early findings from this review.

This latest review recommends work to:

• Ensure that guidance makes it easy to identify whether firms are in scope of the NIS regulations and that organisations that need to be included in the regulations are designated: 
  
  This is a particular issue for relevant digital services providers (‘RDSPs’). The review notes that over half of RDSPs could not easily identify that they were in scope, whereas 85% of operators of essential services (‘OES’) could. This may explain why only 169 of the approximately 1,200 in-scope organisations are designated RDSPs. The review therefore suggests that the Government and the ICO consider ways to increase awareness of the registration requirements RDSPs have under the regime. In terms of whether any other organisations should be brought into scope, the review repeats the call made in the January proposals that managed services providers should be included in the NIS regime. The review also reiterates the January proposals to create new delegated powers to allow the Government to amend the scope of the NIS regulations in response to sectoral developments, and to include critical suppliers to OES in the scope of the NIS regime (see below).
  
  
• Secure the supply chains of OES, where the supplier is critical to the provision of that essential service:
  
  Supply chain risk in cyber is currently a big concern, but only 9% of OES indicated having the resources to manage this (a decline of 31% since 2020, although the review notes this may be in part due to greater awareness rather than organisations ceasing to do this). The review suggests that the January proposals should be implemented, which would designate important suppliers as ‘critical dependencies’ and require them to comply with the same obligations as OES. It also suggests that DCMS considers amending cyber security guidance to emphasise the relevant risks, as part of a long-term, cross-government response.
  
  
• Provide more resources for regulators to enforce the NIS regulations: 
  
  The review states that five regulators do not have the tools necessary to implement the NIS regulations. Generally speaking, this is due to: (i) lack of capacity and capability (staff and training); and (ii) limited powers under the current legal framework. It therefore proposes that the Government ensures that regulators have more funding where they are government departments. Where they are not government bodies, the review notes that DCMS should encourage them to allocate more funding to the NIS regime. For both types of regulators, this includes raising funding through extending the existing cost recovery provisions, something that again was already in the January proposals.
  
  
• Assess why the enforcement regime is not being utilised where it is merited:
  
  The review comments that regulators have not made use of the enforcement tools available to them, with only two having used any such tools, despite incidents occurring which might merit enforcement action (the review notes, however, that enforcement should only be a last resort). The review recommends that DCMS assess why the enforcement options are not being used, and suggests work is needed to ensure there is greater consistency in regulatory implementation across sectors. This may include the creation of performance metrics to better measure the impact and effectiveness of the NIS regulations.
  
  
• Capture the right cyber incidents:
  
  The NIS regulations impose an obligation on those in scope to report any incidents to the relevant regulator. However, regulators have received little-to-no reports of incidents, despite clear evidence from other sources of many reportable incidents. This may be because an incident is only currently reportable if there is a material impact on the service provision. This could hide material incidents that do not actually impact service provision, even if they reveal underlying cyber security issues. The review therefore repeats the January proposals in recommending that the relevant regulators assess and lower the thresholds for reporting for their sectors, and that the NIS regulation definition of a reportable incident is amended. It would then cover “all incidents that have a material impact on the confidentiality, integrity, and availability of those networks and information systems, and that have a potential impact on the continuity of the service.”

From the proposals above, we see that the Government is looking to tighten and improve the UK’s existing cyber security regime rather than replace it, although it appears that little in the review is actually new. Nonetheless, it shows the general trend towards tighter oversight under a regime that can be adapted as needed.

Given the NIS regulations are derived from the EU’s NIS directive, it is also interesting to note that the EU is proposing significant changes to its NIS regime. This includes expanding the sectors covered by its NIS directive, to cover waste water, public administration, and space, as well as creating a new set of subsectors.